Evident domain

About two years ago, TLC Vision, fresh off a recent acquisition, got sued by an employee who believed he was slighted by the company's profit-sharing program. The employee's lawyers demanded that TLC Vision produce any electronically stored communications related to the case.

It wasn't an out-of-left-field request for TLC. After all, the $300 million-a-year eye care services company that specializes in laser vision correction surgery (Tiger Woods was a client) had been storing emails since 1999 – long before some employees even had internet access. But what made this e-discovery request particularly burdensome was the arduous recovery process that resulted. It spanned such a wide range of dates that the IT department had to devote two full-time staff members to the job.

“It was brutal,” recalls Roger McIlmoyle, the Chesterfield, Mo.-based company's director of technical services. “To restore all the data from tape literally took us weeks. And then to index it all took days and days. And then to conduct searches on it…It was extremely painful.”

That incident, combined with a sense that such requests would become commonplace when the amended Federal Rules of Civil Procedure (which codified e-discovery) took effect at the end of 2006, forced TLC Vision to act. So the company got rid of its tapes and deployed an email archiving solution from Toronto-based Jatheon Technologies that allowed it to index and easily search records.

“I think people know now that electronic documents are available and they're required to be available,” McIlmoyle, 46, says. “Now if we have any litigation going on, it's just part of the general requirement to deliver documentation. It's almost become a boilerplate. I'm sure every other organization is encountering the same thing.”

Most are, at least heavily regulated and deep-pocketed companies that regularly face government mandates and litigations. According to a study last year by the Enterprise Strategy Group, 67 percent of large enterprises – defined as having 20,000 employees or more – have been involved in litigation that required the retrieval of electronic documents, compared to 47 percent in 2005.

The amended Federal Rules of Civil Procedure, which took effect Dec. 1, 2006, order opposing litigants to meet and discuss what electronic information is applicable to the case. The amended regulations also state that companies, at the first sign of a possible lawsuit, must begin archiving records – most commonly email exchanges – that could be related to the case.

Archiving solutions that are easily searchable help meet these new demands in ways tapes and disks never could. While the security department still, for the most part, oversees the preservation and recovery process, many products are becoming intuitive enough for legal teams to use – without relying on IT for guidance.

But, as organizations are learning, these offerings go well beyond providing businesses with the ability to quickly produce electronic evidence if they are sued (although that remains the most common benefit of email archiving, according to a second Enterprise Strategy Group study).

According to experts, e-discovery also offers a key way for organizations to get a handle on rising amounts of data stored throughout their infrastructure – which, if done right, is part of an overall risk management and mitigation strategy.

“You need to not think about e-discovery as just a reactive process to some legal proceedings, but more as a proactive approach to enterprise information management,” says Bill Bartow, vice president of product management at Tizor Systems, a Maynard, Mass.-based data auditing firm.

“E-discovery should be considered part of a broader project,” Bartow says. “There are lots of different places where sensitive data with legal implications could be stored.” (He urges companies, when preserving data, to remember sensitive information sitting in some other repository outside of the email logs, such as databases and file shares.)

McIlmoyle says that TLC Vision decided to begin retaining emails in 1999 – not because it anticipated an influx of litigation, but because it believed it was a best practice.

“The company has always known that we're dealing in privacy, and a great deal of communication occurs in email,” he says. “The fact that we can satisfy some legal request is a side benefit. That's not the reason we did it. It comes down to risk mitigation, primarily the risk of losing information critical to the company.”

That would be helpful when searching through an archive, of course, but such technology also could be used to potentially flag inappropriate content from being sent in the first place – thereby limiting the chance of a lawsuit, he says.

The push to preserve data also allows organizations to set retention policies, which let them get rid of data they don't need – a priority for organizations holding valuable information, says Brian Babineau, a senior IT analyst at Milford, Mass.-based Enterprise Strategy Group.

“I think the biggest thing proved by the federal rules is that electronically stored information establishes that organizations have to view business records as potential sources of record,” he says. “[They] will drive organizations to make better decisions on information management.”

“The more data you have to look through when you get an inquiry, the more expensive it gets,” Babineau says. “People don't necessarily know where the information is…so they spend a lot of time chasing fires.”

Most organizations are anticipating at least modest gains in e-discovery spending, year over year, which will undoubtedly catch the attention of the board room executives. Companies will react by adopting more sophisticated archiving solutions that can quickly sort through mounds of data – a method that will trim costs for organizations contracting with third-party e-discovery consultants, who review the data once it is retrieved.

But the rising number of e-discovery requests also may prompt some businesses to encourage their attorneys to take a leaner, more effective approach.

“There's pressure on in-house counsel, and outside counsel who are hired by them, to manage electronic discovery efficiently and hold the costs down, and the resulting countervailing pressure that lawyers have a responsibility to comply with the court,” says Steven Kaufmann, a Denver-based partner with law firm Morrison & Foerster. “You have to keep costs down and you have to do a good and thorough job.”

That means outside counsel has to do three things, Kaufmann adds. “They have to plan the e-discovery process better; if possible, develop strategy early in the case; and they have to be efficient at it.”

Of course, this runs the risk of attorneys cutting corners. And courts, at least based on a couple of recent high-profile cases, do not respond warmly to perceived negligence when it comes to e-discovery – whether it is to trim budgets, hide the facts or some other reason.

For example, a federal judge in January sanctioned six attorneys for discovery violations following a patent infringement trial that Qualcomm had brought against Broadcom. In her 42-page judgment, U.S. Magistrate Judge Barbara Major concluded that Qualcomm's attorneys helped Qualcomm in “intentionally hiding or recklessly ignoring relevant documents,” including tens of thousands of emails.

And in an ironic instance, in late June, chemical manufacturer Celanese sued its own attorneys, accusing the high-powered New York law firm Kaye Scholer of malpractice for discovery abuse during an anti-trust lawsuit.

Of course, the rising cost of e-discovery is not the only challenge organizations grapple with when developing a preservation and recovery plan.

Making data readily available for viewing by outsiders – as e-discovery requires – might send shivers up the spines of some information security professionals, whose main objective is to keep sensitive information inaccessible to outsiders, Babineau says.

“[E-discovery] is the antithesis of their modus operandi,” he says.

Kaufmann says this issue may be particularly impactful in Europe, where privacy laws are considered much more stringent than in the United States. Cases are sure to arise where a multinational U.S.-based company needs to retrieve documents from one of its European repositories – but such a move would clash with EU privacy regulations.

But, experts say, organizations can take steps to maintain protection on their critical data – all the while making it readily available should a legal discovery arise. Chief among those are implementing strong access controls, say experts.

At TLC Vision, McIlmoyle says each employee has access to his or her own email archive – but only a select few can access all the archived documents.

“Four people in the company have the ability to do an across-the-entire-archive search,” he says. The privileged quartet consists of himself, the chief information officer, the lead counsel and the lead counsel's primary assistant.

Outsourcing data?Many times, once data is recovered for a trial, it is moved to the possession of a third-party hosting provider, which is responsible for protecting the data while it is accessed and viewed by interested parties, experts say. Such a setup, though, would not pass muster in-house.

“If you ask your [company's] IT department to do that, it creates a huge concern because their whole goal is to keep external parties outside,” Babineau says.

Then, there is the quandary that is encryption. By its very definition, the technology is designed to scramble data so others cannot view it. This, of course, does not lend itself well to easy retrieval during discovery. That is why many companies choose only to encrypt data leaving the organization, experts say.

“There are times in the information life cycle where encryption makes a lot of sense and there are times when it doesn't,” Babineau says. “When data comes to its final resting place, you're probably not going to want to encrypt it.”

TLC Vision follows such a protocol. “Because the archive is internal, it stores it unencrypted,” McIlmoyle says. “As soon as it's going to exit our control, that's when we encrypt.”

“It really depends on what you want to send off to the archive,” he says. “We don't see a lot of encrypted files. What they're pushing off to the archive, they know they have to be able to search it, and it can't be in an encrypted format.”

If there is encrypted data needed for litigation, policy should dictate that the employee holding the key must be available to quickly decrypt it – for example, brokerage communication, he says.

One other e-discovery caveat worth mentioning: companies must ensure they can validate a document's history. A precedent may have been set when a judge ruled, in the 2007 case of Lorraine vs. Markel American Insurance Co., that neither side could offer emails as evidence because they could not prove they were legitimate.

“One party, with a couple clicks of a mouse could mock up an email and submit it for the record,” says Zafar Khan, CEO of Los Angeles-based RPost, provider of registered email receipts.

Assuming risk
Of course, if the challenges of implementing an e-discovery program seem too overwhelming, the option always exists to assume the risk of not being sued, especially for small businesses, experts say. Forty-six percent of 441 respondents to an Enterprise Strategy Group study said they have never been involved in a legal proceeding that required the recovery of electronic records.

With adoption estimates of archiving solutions as low as 30 percent, some firms seem content to take the chance.

“Most think they will live with that risk,” says Rick Dales, vice president of product management at Toronto-based email archiving provider Fortiva, acquired by Proofpoint in June.

“Today the firms that are taking action are the firms that have faced the pain of legal discovery to gather information,” he adds. “The bigger the firm is, the more likely they will get sued because there is more money there.”

But that may change as businesses catch on to the ancillary benefits of preservation requirements, observers say.

“People [may] realize that this information is not just a point-in-time communication, but a history of what the company has done,” Dales says.

[sidebars]

Discovering empty pockets

Failing to comply with e-discovery regulations could mean big fines to offending companies. Here are some hefty penalties the federal Securities and Exchange Commission handed out prior to the new Federal Rules of Civil Procedure, which took effect December 2006.

• 2004: Bank of America's brokerage arm was fined $10 million for failing to make available emails that concerned issues under federal investigation.

• 2005: UBS Securities was fined $2.1 million for failing to preserve on backup tapes three years of emails. The SEC was investigating UBS' research and investment banking activities.

• 2006: Morgan Stanley was fined $15 million for failing to provide tens of thousands of emails sought for an SEC investigation of brokerage houses.

Source: Law.com

An e-discovery caveat: Admissibility

What if an organization does everything right with its preservation of electronic documents, but once it offers them to the opposing counsel, the attorney questions the authenticity of the data?

It can happen. A 2007 federal judge ruled in the case of Lorraine vs. Markel American Insurance Co. that neither side was allowed to offer emails as evidence because they could not prove they were legitimate.

What precedent the decision will set remains to be seen, but organizations must ensure they can validate a document's history, says Zafar Khan, chief executive officer of Los Angeles-based RPost, which provides registered email receipts.

“One party, with a couple clicks of a mouse, could mock up an email and submit it into the record,” he says. “You run the risk of the other lawyer saying, ‘We don't believe these emails are true records.'”